Re: [pgAdmin][5919] Fix security related issues
| От | Akshay Joshi |
|---|---|
| Тема | Re: [pgAdmin][5919] Fix security related issues |
| Дата | |
| Msg-id | CANxoLDc-x371pOonhWK_jirbnQi1zJsd4a8qXCqaow-sMpOQ7g@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [pgAdmin][5919] Fix security related issues (Ganesh Jaybhay <ganesh.jaybhay@enterprisedb.com>) |
| Список | pgadmin-hackers |
Thanks, patch applied.
On Mon, Oct 19, 2020 at 7:17 PM Ganesh Jaybhay <ganesh.jaybhay@enterprisedb.com> wrote:
Thank you Dave for the suggestion.Please find the attached updated patch to make HSTS by default disabled and conditional based on flag.Regards,Ganesh JaybhayOn Mon, Oct 19, 2020 at 5:38 PM Dave Page <dpage@pgadmin.org> wrote:Hi--On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay <ganesh.jaybhay@enterprisedb.com> wrote:Hi Hackers,Please find the attached patch to fix the below security issues:
- Host Header Injection - Added ALLOWED_HOSTS list to limit host address
- Lack of Content Security Policy (CSP) - Added security header
- Lack of Protection Mechanisms - HSTS - Added security header
- Lack of Cookie Attribute – Secure : Kept as False as secure limits cookies to HTTPS traffic only.
- Information Disclosure – Web Server / Development Framework VersionDescription: Kept as hard coded 'Python' instead of exposing wsgi/python/gunicorn version info.
Please review and let me know if I have missed anything.I took a very quick look at this, and one thing that immediately stood out is that HSTS should definitely not be enabled by default. That can make dev/test/redeploy extremely difficult.
Thanks & Regards
Akshay Joshi
pgAdmin Hacker | Sr. Software Architect
EDB PostgresMobile: +91 976-788-8246
В списке pgadmin-hackers по дате отправления: